Hello tastytea,
I am aware of this "workaround", thank you. :)
I guess, I was not precise enough:
The ebuild "drm_master_util-9999"[1] is hosted on my repository, but the
ebuild file itself pulls in an external repository[2].
My question is: Is it a best practise to fork the external
repository[2], to link my fork with "drm_master_util-9999"[1], so I have
full control about updating the fork. Just to check, that the external
source is not doing shenanigans?
-Ramon
[1]
https://codeberg.org/keks24/gentoo-overlay/src/branch/master/x11-misc/drm_master_util/drm_master_util-9999.ebuild#L27
[2] https://github.com/gch1p/drm_master_util.git
On 28/07/2020 10:53, tastytea wrote:
On 2020-07-28 06:47+0200 Ramon Fischer <ramon_fisc...@hotmail.de> wrote:
[…]
The thing I am concerned about, is, that I am pulling something from
an external source, which I am installing on my system and giving it
root privileges[4].
The only best practise I can think of, is, to fork the external
repository, linking the ebuild to my fork and updating it on demand,
so I have full control over it.
Would this be the way to do it?
You can mask all packages from a repository in
/etc/portage/package.mask/ with
*/*::repo-name
and unmask the packages you want in /etc/portage/package.unmask/ with
x11-misc/drm_master_util::repo-name
or just the version you want with
=x11-misc/drm_master_util-9999::repo-name
.
The maintainer of the repo could still replace the ebuild with a
malware installer.
